Topic: Never use ELECTRUM WALLET! (Read 536 times)

Looks like very easy setup, which is strange because tutorial which I was using back then, was a lot more complicated and required many more steps.

The only difference is, that I was trying to decrypt a message back then and now this is a signature check for Mycelium wallet.

I will try it for sure, thank you very much for the link.

Electrum is fixed phishing pop-up notification completely in version 3.3.4, and any version under that is still vulnerable to such attacks. Users who still have older versions and are not aware of the danger will be the victims of such attacks for a very long time. Unfortunately, there is no way for such users to be contacted, they have a potential threat on their computer and if they go the wrong way with update, they will lost their coins same as OP.

If you think about it, it really isn't complicated at all. All you have to do is read the instructions and follow them. The problem is that people are lazy.

The first step mentions you only need Kleopatra so don't even bother installing the rest or if you do, you don't need to use them ever.
Everything else is explained step by step. There are even pictures.

https://bitcoinelectrum.com/how-to-verify-your-electrum-download/

I think this the main reason why people don't use PGP encryption more often or even don't check the signatures because is too complicated.

I wonder if there is no improvement possible?

A very easy to use, super user-friendly PGP software that every not tech-savvy person can operate would be a perfect solution.


As I said before and your words confirm my statement that PGP is not used because is too complicated. It starts with download where people are immediately confused because there is a set of programs and to be honest only Kleopatra is needed but an average person doesn't know about this and download the full package (which only makes the confusion even bigger later on). Every next step is more confusing and I am not wondering that almost nobody is using this if they really don't have to.

I think my computer knowledge is much higher as by an average person but still, I find PGP encryption using Kleopatra not easy to do, especially if one has to do the initial setup on his own and never had any experience with PGP or Kleopatra.

Maybe there are other better and more user-friendly PGP programs and I don't know about it?

How did the OP get the error message which had the clickable link to the fake Github page? A few months ago most Electrum server nodes started to crash any clients to prevent this from happening.

When he last used Electrum he had a server list of Electrum nodes, it most likely tried to connect to those nodes. 100% of those nodes were good nodes and one of those should of crashed his client before he accidently found a node which was fake to display the message.

well it is a matter of how you value your own security. sometimes we have to endure the complicated process to reach the high security we need. it doesn't come cheap.
with that said i am a windows user and have only verified signature on windows once. i didn't like Kleopatra either. but i did a workaround, i used Ubuntu. download verify Ubuntu signature and now i have that for easy verification each time i download a new software.

it is probably the biggest attempt but certainly not the first. there has been a lot more in the past, i myself have reported at least 10 or 12 malicious repositories on github trying to fool people into thinking they are downloading the "real" electrum from the "real repository"!

from 2016: https://bitcointalksearch.org/topic/verifying-bitcoin-core-1588906
a good idea to inform others as much as we can, but still the information is already out there, users must look for it themselves.

I agree that would be ideal, but the chances of 100% of users checking 100% of the time is 0%. People should also always be checking the URL of the page they are entering their details in to, they should be checking the sending address of the email claiming to be from their bank, they should be scanning every file they download for malware, they should be double checking the sending address they just copy pasted, and so forth. Unfortunately, most people don't pay any attention to basic security and safety measures until they have already fallen victim.

It's for these reasons that banks keep implementing more and more security steps you have to go through and hurdles you have to jump to be allowed to spend your own money. People who pay no attention and keep getting scammed make the system worse for the rest of us. As bob123 says, we do have an issue with wallets being too complicated for the average person, whose only tech knowledge is how to post selfies on social media.

The average person is not ready yet to take responsibility for their own money.
It is the average person who gets involved into credit card fraud because they entered it into a shady site or in an open wifi.

Verifying signature is a mandatory step which takes less than a minute. And with all the guides available and all the messages telling you to verify it, it is quite sad that people still don't do that.

We definitely can have adoption of bitcoin. But first we need some idiot-proof wallets (e.g. hardware wallets embedded into mobile phones with triple checking of everything).
Hardware wallets can already be used by average persons, if they are capable of reading and double checking the address on the display.
It is just that the riskier wallets (desktop-, mobile- and paper wallets) need more tech savy people who know how to protect digital information and how to verify integrity of data.

I almost fell for this and wasn't aware of how you got notified of Electrum updates.  I got a pop-up to upgrade and proceeded to do so, but my virus protection software said the update had malware on it.  Crazy.  That was like 2 months ago or so.  I assume that's the issue OP had.

Aside from that, Electrum is a great wallet--you just have to be careful about hacking attempts, I guess.  I wouldn't go so far as to blame OP for falling for the trick, as he hadn't used the wallet in some time and had no reason to think he'd get scammed that way. 

And if you ever wonder why the average person won't adopt bitcoin, see the above quote.  Lol.

I agree with you, but I was not talking only about Electrum wallet but rather had in mind a much bigger picture. What I mean is that we should try to inform people (best we could) to develop a habit, to check every signature of the downloaded file using PGP, especially when it goes to programs with sensible data, but not only of course. The best outcome would be when literally every download will be checked. This is exactly, as it was with VirusTotal, at some point, I started to scan almost all URLs, files, downloads which were new or seemed suspicious to me. So far I was never hacked or don't know about it.

Have you seen Abdussamad's page of Electrum guides at https://bitcoinelectrum.com/? There is one for how to verify Electrum using Kleopatra (link here) which is pretty straightforward to follow and use. Hopefully it should help you out. Make sure you double check Thomas V's GPG key which appears on that page, to protect yourself in the rare chance that that site is hacked.

There is no way to contact everyone who uses, or intends to use, Electrum - there is no database of users, in-wallet messaging service, or email sign up. The best that can be done is to give clear instructions on the site, which is already done. On the landing page it says to verify the signature, and on the download page there is a box which explains why you should verify signatures, and provides links to various tutorials.

As you say, we can talk about it on the forum, but the majority of threads are ones such as this one - users who have already ignored the instructions, installed malware, lost their coins, and then come to complain. Few users seem to spend any time doing basic due diligence before downloading and install new software.

I agree with you and we should do all we can to inform at least Bitcointalk members about this and educate further on how to use PGP encryption and programs like Kleopatra.
As we all know the most used OS is Windows and this is not so easy to verify signatures on this system for beginners or not tech-savvy people.

To be honest, I have never checked signatures until today. Already downloaded Kleopatra (a couple of times) and started the process (with the help of a how-to tutorial) but always gave up halfway.
I am sure, I have failed every time because is just not easy to set up PGP and I wasn't needed it very badly, for example, to secure all my BTC holdings. In such circumstances, I would do it for sure, no matter how time-consuming and complicated it could be.

This is not the first time we have problems with malicious links to wallets on the web and here on Bitcointalk. I think I have seen already all kinds of wallet hacks: changed links in quotes, changed links in ANN and bounty threads, posting links from hacked accounts, malicious updates and pop-ups, fake redirects, counterfeit signatures, etc. You name it - I have seen it.

Still, I haven't heard about signatures check using PGP, until a couple of months ago, when the problems with Mycelium wallet exploded. I am very long and frequently here on the forum and from what I have seen, everybody was always using VirusTotal, as a reference tool, to check the wallets for viruses and verify them. In all wallets reviews posted here, I have never seen a single PGP signature check to be made.

Sometimes viruses were found by VirusTotal in wallets and I have written about this, to warn other members. I just couldn't believe, that some of them tried to defend these wallets, vouched they were clean and all found viruses are only "false-positive" and totally not harmful  . In the beginning, there were no viruses in wallets at all, even false-positives, but somebody started misinformation (on purpose), wrote a couple of posts, articles, answers about false-positive matches on VirusTotal. This way changed the opinion of enough members, to bring chaos and total misinformation about false-positives virus warnings in the scanned wallets. In my opinion, it was made on purpose and we have missed it on our watch.

I think, the best way to handle this is an informational campaign, to let people know about the need for PGP signature check and how to do it correctly. There is actually no other way, to be relatively safe when downloading something online, as to do the PGP signature check every single time. We should talk about this and keep repeating on every occasion, especially in the Beginners and scam sections. If we start to do it, I am sure, members will create a lot of additional content about PGP (tutorials, translations, guides to Kleopatra, etc) and the word will keep spreading further kinda automatically.

actually this does not concern wallets at all because technically you should not even care where you download the binaries from because even if you download them from the official website it still is not safe until you cryptographically verify its digital signature.
the only thing that you should ever worry about is acquiring the real public key of the developer. then you could even receive the binaries in your Email from someone and check the signature with that public key. as long as PGP is not broken (which it is not) there is no way to fake this.

those people who got scammed (mentioned in the comment you quoted) got scammed because they never bothered with signature verification ever.

I would agree with you until I have seen this post:


Even after I have read about the dots, still I was trying to clean the screen because I was sure it is something on the screen.

I think this one is the biggest threat from all fake URL's I have seen so far and people should be aware of these.

Well, cold wallets are safe and nowadays they're not so difficult to set up.
And there's always the option of storing on paper wallets (of course, they have to be properly done, and of course, there were problems there too, mostly because of not-random-enough seeds).
But you are right. Human error is always a factor that has to be properly counted in.

There is not a single software without vulnerabilities. Not a single one.

And the vulnerability in electrum has a CVSS score of roughly 3/10.
That is very far away from a sever vulnerability. The severity is low.. at max.

There is absolutely nothing which can happen based on this vulnerability. The user has to make several mistakes in a row (falling to phishing message, downloading from a fake site, not verifying signature, executing malware ..) in order to lose coins.
Those people most likely also would fall for a cheap phishing mail.

IMO absolutely their fault. No one forced them to use electrum. And neither did anyone force them to download malware from a fake site.

You mix things that should not be mixed -  banks, universities or fiat are something completely different then cryptocurrency. How can you say that Electrum developers "is responsible for anything", they develop that software and they did not see that vulnerability which was used for distribution of fake wallet.

Let's put aside ignorance of users, they are the victims of their ignorance, but it all start with exploit in Electrum - saying that all blame is on users is not fair in my opinion.


I agree that there is a problem in fact most of us maybe create public opinion by saying "Do not use web wallets", and most users think desktop wallets are safe option. I am not sure is it more appropriate to direct users to hardware wallets, so far they are safe, but who can guarantee that this will be the case tomorrow or in a year?

I don't feel like electrum is responsible for anything.

It is an open source wallet and everyone should use common sense when dealing with sensitive information (what private keys are).
You can't blame electrum for serving as a kind of platform to perform such attacks. You'd have to also make banks responsible for online-banking or check-fraud and the universities of the US for creating email - which is the most common 'platform' for phishing.

Just because someone offers a platform or technology, doesn't mean he is responsible for anything which happens with it.
You don't blame Satoshi for creating bitcoin and the involved crimes (blackmailing, money laundering, etc..), do you ? Or the Gov for their FIAT and the involved crimes (drug dealers and hitmen being paid with FIAT, etc..) ?

Somehow I fear it's not emphasized enough that people should not keep big amounts of money in hot wallets, wallets that go online, even if that happens very seldom.
Just because all the bad things can happen, no matter whose fault is.

I mean: we (as community) kept telling people that web wallets are not safe enough. But hot wallets can be a problem too.

What is the point to talk to someone about something that is supposed to do long time ago? He is not first and certainly not the last person who will lose money in this way, this is unfortunately something that will happen for years to come. As I said before, there are those who open their wallets every one or two years, or in time when BTC price is going up - probably 8 of 10 will download that fake wallet.

There is no doubt that the main culprit in this story is Electrum developers who have not noticed this vulnerability, and in doing so they allowed some bad people to steal large quantities of BTC, and they will do that for years.

So we can say that users are guilty of becoming victims of phisning, and this is true - same as Electrum is guilty for served as the perfect platform for such an attack.